V8.13.384.2025.11.06

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/hooks/live/0000_basic_chroot_setup.chroot

@@ -220,8 +220,8 @@ if [[ -f /root/.architecture ]]; then
 fi
 
 
-mkdir -p /root/.ciss/dlb/{backup,log,private_keys}
-chmod 0700 /root/.ciss/dlb/{backup,log,private_keys}
+mkdir -p /root/.ciss/cdlb/{backup,log,private_keys}
+chmod 0700 /root/.ciss/cdlb/{backup,log,private_keys}
 
 mkdir -p /root/git
 chmod 0700 /root/git

config/hooks/live/0050_activate_root.chroot

@@ -25,8 +25,8 @@ fi
 cd /root
 
 # shellcheck disable=SC2312
-cp /etc/shadow /root/.ciss/dlb/backup/shadow.bak."$(date +%F_%T)"
-chmod 0600 /root/.ciss/dlb/backup/shadow.bak.*
+cp /etc/shadow /root/.ciss/cdlb/backup/shadow.bak."$(date +%F_%T)"
+chmod 0600 /root/.ciss/cdlb/backup/shadow.bak.*
 
 declare hashed_pwd
 declare safe_hashed_pwd

config/hooks/live/0120_set_hostname.chroot

@@ -13,8 +13,8 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
-mv /etc/hostname /root/.ciss/dlb/backup/hostname.bak
-mv /etc/mailname /root/.ciss/dlb/backup/mailname.bak
+mv /etc/hostname /root/.ciss/cdlb/backup/hostname.bak
+mv /etc/mailname /root/.ciss/cdlb/backup/mailname.bak
 
 cat << 'EOF' >| /etc/hostname
 live.local

config/hooks/live/0810_chrony_setup.chroot

@@ -23,8 +23,8 @@ apt-get install -y adjtimex chrony tzdata
 
 systemctl enable chrony.service
 
-mv /etc/chrony/chrony.conf /root/.ciss/dlb/backup/chrony.conf.bak
-chmod 0644 /root/.ciss/dlb/backup/chrony.conf.bak
+mv /etc/chrony/chrony.conf /root/.ciss/cdlb/backup/chrony.conf.bak
+chmod 0644 /root/.ciss/cdlb/backup/chrony.conf.bak
 
 cat << EOF >| /etc/chrony/chrony.conf
 # SPDX-Version: 3.0

config/hooks/live/0860_sops.chroot

@@ -40,26 +40,14 @@ cosign verify-blob "sops-${SOPS_VER}.checksums.txt" \
 sha256sum -c "sops-${SOPS_VER}.checksums.txt" --ignore-missing
 
 install -m 0755 "${SOPS_FILE}" /usr/local/bin/sops
-sops --version --check-for-updates
-age --version
+sops --version --check-for-updates >| /root/.ciss/cdlb/log/sops.log
+age --version                      >| /root/.ciss/cdlb/log/age.log
 
 rm -f "/tmp/${SOPS_FILE}"
 rm -f "/tmp/sops-${SOPS_VER}.checksums.txt"
 rm -f "/tmp/sops-${SOPS_VER}.checksums.pem"
 rm -f "/tmp/sops-${SOPS_VER}.checksums.sig"
 
-umask 0077
-
-mkdir -p /root/.config/sops/age
-
-cat << 'EOF' >| /root/.config/sops/age/keys.txt
-{{ secrets.CISS_PHYS_AGE }}
-EOF
-
-if grep -q '{{ secrets.' /root/.config/sops/age/keys.txt; then
-  : >| /root/.config/sops/age/keys.txt
-fi
-
 chmod 0400 /root/.config/sops/age/keys.txt
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

config/hooks/live/9910_motd.chroot

@@ -13,8 +13,8 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
-mkdir -p /root/.ciss/dlb/backup/update-motd.d
-cp -af /etc/update-motd.d/* /root/.ciss/dlb/backup/update-motd.d
+mkdir -p /root/.ciss/cdlb/backup/update-motd.d
+cp -af /etc/update-motd.d/* /root/.ciss/cdlb/backup/update-motd.d
 
 cat << 'EOF' >| /etc/update-motd.d/10-uname
 #!/bin/sh

config/hooks/live/9920_deleting_invalid_x509.chroot

@@ -14,7 +14,7 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
 declare -a search_dirs=("/etc/ssl/certs" "/usr/local/share/ca-certificates" "/usr/share/ca-certificates" "/etc/letsencrypt")
-declare backup_dir="/root/.ciss/dlb/backup/certificates"
+declare backup_dir="/root/.ciss/cdlb/backup/certificates"
 declare current_date
 current_date=$(date +%s)
 declare -ax expired_certificates=()

config/hooks/live/9940_hardening_memory.dump.chroot

@@ -13,8 +13,8 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
-cp -u /etc/security/limits.conf /root/.ciss/dlb/backup/limits.conf.bak
-chmod 0644 /root/.ciss/dlb/backup/limits.conf.bak
+cp -u /etc/security/limits.conf /root/.ciss/cdlb/backup/limits.conf.bak
+chmod 0644 /root/.ciss/cdlb/backup/limits.conf.bak
 
 grep -Eq '^[[:space:]]*\*[[:space:]]+soft[[:space:]]+core[[:space:]]+0[[:space:]]*$' /etc/security/limits.conf \
   || sed -i -E '/^[[:space:]]*#?[[:space:]]*soft[[:space:]]+core[[:space:]]+0[[:space:]]*$/ i\*               soft    core            0' /etc/security/limits.conf

config/hooks/live/9950_hardening_fail2ban.chroot

@@ -15,14 +15,14 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 
 cd /root
 
-cp -u /etc/fail2ban/fail2ban.conf /root/.ciss/dlb/backup/fail2ban.conf.bak
-chmod 0400 /root/.ciss/dlb/backup/fail2ban.conf.bak
+cp -u /etc/fail2ban/fail2ban.conf /root/.ciss/cdlb/backup/fail2ban.conf.bak
+chmod 0400 /root/.ciss/cdlb/backup/fail2ban.conf.bak
 
 ### https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
 sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
 
-mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/dlb/backup/defaults-debian.conf.bak
-chmod 0400 /root/.ciss/dlb/backup/defaults-debian.conf.bak
+mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/cdlb/backup/defaults-debian.conf.bak
+chmod 0400 /root/.ciss/cdlb/backup/defaults-debian.conf.bak
 
 cat << EOF >| /etc/fail2ban/jail.d/ciss-default.conf
 # SPDX-Version: 3.0
@@ -205,7 +205,7 @@ EOF
 ###########################################################################################
 # Remarks: Logrotate must be updated either                                               #
 ###########################################################################################
-cp -a /etc/logrotate.d/fail2ban /root/.ciss/dlb/backup/fail2ban_logrotate.bak
+cp -a /etc/logrotate.d/fail2ban /root/.ciss/cdlb/backup/fail2ban_logrotate.bak
 cat << EOF >| /etc/logrotate.d/fail2ban
 /var/log/fail2ban/fail2ban.log {
     daily

config/hooks/live/9980_usb_guard.chroot

@@ -23,7 +23,7 @@ usbguard generate-policy >> /tmp/rules.conf
 
 if [[ -f /etc/usbguard/rules.conf && -s /etc/usbguard/rules.conf ]]; then
 
-  mv /etc/usbguard/rules.conf /root/.ciss/dlb/backup/usbguard_rules.conf.bak
+  mv /etc/usbguard/rules.conf /root/.ciss/cdlb/backup/usbguard_rules.conf.bak
   cp -a /tmp/rules.conf /etc/usbguard/rules.conf
   chmod 0600 /etc/usbguard/rules.conf
 
@@ -35,7 +35,7 @@ else
 
 fi
 
-cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/dlb/backup/usbguard-daemon.conf.bak
+cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/cdlb/backup/usbguard-daemon.conf.bak
 #sed -i "s/PresentDevicePolicy=apply-policy/PresentDevicePolicy=allow/" /etc/usbguard/usbguard-daemon.conf
 
 rm -f /tmp/rules.conf

config/hooks/live/9991_file_permissions.chroot

@@ -18,8 +18,8 @@ chmod 0644 /etc/issue
 chmod 0644 /etc/issue.net
 
 if [[ -f /etc/motd ]]; then
-  cp -a /etc/motd /root/.ciss/dlb/backup/motd.bak
-  chmod 0644 /root/.ciss/dlb/backup/motd.bak
+  cp -a /etc/motd /root/.ciss/cdlb/backup/motd.bak
+  chmod 0644 /root/.ciss/cdlb/backup/motd.bak
   rm /etc/motd
 fi
 
@@ -36,7 +36,7 @@ cat << EOF >| /etc/motd
 
 EOF
 
-cp -a /etc/login.defs /root/.ciss/dlb/backup/login.defs.bak
+cp -a /etc/login.defs /root/.ciss/cdlb/backup/login.defs.bak
 
 sed -ri 's/^(#?LOGIN_TIMEOUT)[[:space:]]+[0-9]+/\1 180/' /etc/login.defs
 sed -i 's/UMASK		022/UMASK		077/' /etc/login.defs

config/hooks/live/9993_aide.chroot

@@ -17,7 +17,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get install -y aide > /dev/null 2>&1
 
-cp -u /etc/aide/aide.conf /root/.ciss/dlb/backup/aide.conf.bak
+cp -u /etc/aide/aide.conf /root/.ciss/cdlb/backup/aide.conf.bak
 sed -i "s/Checksums = H/Checksums = sha512/" /etc/aide/aide.conf
 
 if aideinit > /dev/null 2>&1; then

config/hooks/live/9994_password_policy.chroot

@@ -20,8 +20,8 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
 
-cp -a /etc/security/pwquality.conf /root/.ciss/dlb/backup/pwquality.conf.bak
-chmod 0644 /root/.ciss/dlb/backup/pwquality.conf.bak
+cp -a /etc/security/pwquality.conf /root/.ciss/cdlb/backup/pwquality.conf.bak
+chmod 0644 /root/.ciss/cdlb/backup/pwquality.conf.bak
 
 cat << EOF >| /etc/security/pwquality.conf
 # SPDX-Version: 3.0

config/hooks/live/9996_auditd.chroot

@@ -29,9 +29,9 @@ cd /root
 export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get install -y auditd
 
-cp -u /etc/audit/audit.rules /root/.ciss/dlb/backup/audit.rules.bak
-cp -u /etc/audit/auditd.conf /root/.ciss/dlb/backup/auditd.conf.bak
-cp -u /etc/audit/rules.d/audit.rules /root/.ciss/dlb/backup/rules_d_audit.rules.bak
+cp -u /etc/audit/audit.rules /root/.ciss/cdlb/backup/audit.rules.bak
+cp -u /etc/audit/auditd.conf /root/.ciss/cdlb/backup/auditd.conf.bak
+cp -u /etc/audit/rules.d/audit.rules /root/.ciss/cdlb/backup/rules_d_audit.rules.bak
 rm -rf /etc/audit/rules.d/audit.rules
 
 ############################################################### /etc/audit/rules.d/00-base-config.rules

config/hooks/live/9997_debsums.chroot

@@ -19,8 +19,8 @@ cd /root
 export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get install -y --no-install-recommends debsums
 
-cp -a /etc/default/debsums /root/.ciss/dlb/backup/debsums.bak
-chmod 0644 /root/.ciss/dlb/backup/debsums.bak
+cp -a /etc/default/debsums /root/.ciss/cdlb/backup/debsums.bak
+chmod 0644 /root/.ciss/cdlb/backup/debsums.bak
 sed -i "s/CRON_CHECK=never/CRON_CHECK=monthly/" /etc/default/debsums
 
 if debsums -g > /dev/null 2>&1; then

config/hooks/live/9999_interfaces_update.chroot

@@ -16,7 +16,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
 
-mv /etc/network/interfaces /root/.ciss/dlb/backup/interfaces.chroot
+mv /etc/network/interfaces /root/.ciss/cdlb/backup/interfaces.chroot
 rm -f /etc/network/interfaces
 
 cat << EOF >| /etc/network/interfaces